b'REVIEW OF NRC\xe2\x80\x99S CONTROLS OVER\n   WORK PERFORMED UNDER\n            CISSCO\n\n   OIG/99A-13 March 14, 2000\n\x0c                                         March 14, 2000\n\n\n\n\nMEMORANDUM TO:                William D. Travers\n                              Executive Director for Operations\n\n\n                              Stuart Reiter\n                              Acting Chief Information Officer\n\n\nFROM:                         Thomas J. Barchi\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      REVIEW OF NRC\xe2\x80\x99S CONTROLS OVER\n                              WORK PERFORMED UNDER CISSCO\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Review of NRC\xe2\x80\x99s Controls Over\nWork Performed Under CISSCO. This report reflects the results of our review of the quality,\ntimeliness, and reasonableness of costs of work and services performed under the Comprehensive\nInformation Systems Support Consolidation (CISSCO) program.\n\nWe received your March 6, 2000, response to our draft report in which you agreed with our\nrecommendations and provided time frames for the actions you plan to take.\n\nPlease contact me at 415-5915 if you have any questions or if I can provide any additional\ninformation.\n\n\nAttachment: As stated\n\x0c                                          Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nREPORT SYNOPSIS\n\n        In 1996, the U.S. Nuclear Regulatory Commission\xe2\x80\x99s (NRC) Office of Information\n        Resources Management, now the Office of the Chief Information Officer (OCIO),\n        began to integrate the Agency\xe2\x80\x99s numerous computer systems efforts into one\n        contract through a strategy it termed the Comprehensive Information Systems\n        Support Consolidation (CISSCO) program. CISSCO consists of a single contractor,\n        using several subcontractors, to provide a wide-range of information technology\n        services. NRC contracted with the Federal Systems Integration and Management\n        Center of the General Services Administration (GSA/FEDSIM) to procure and\n        manage the services required under CISSCO. In August 1996, GSA/FEDSIM\n        engaged Computer Sciences Corporation as the prime contractor for meeting the\n        needs of CISSCO.(1)\n\n        In June 1998, we performed a survey of CISSCO that raised questions about the\n        adequacy of related management controls. Subsequently, we initiated a review of\n        CISSCO, specifically in terms of the quality, timeliness, and reasonableness of\n        costs for work performed under CISSCO.(2) In general, we found that, while\n        improvements can be made, the Agency has established an adequate process to\n        assure quality products are delivered in a timely manner. In contrast, we found that\n        NRC has not provided the same degree of assurance with regard to the cost of\n        work performed under CISSCO.\n\n        In addition, we found that more than 150 Agency staff could be assigned CISSCO\n        Task Manager (TM) duties. We also found that the skills and experience levels of\n        TMs vary widely and that many do not feel sufficiently trained to effectively manage\n        IT work. In our opinion, assigning TM duties to such a large number of individuals,\n        with widely varying levels of skills and experience, may not be the most efficient or\n        effective method for managing CISSCO work. We believe that the Agency should\n        identify the skills needed to successfully accomplish TM duties, and ensure that\n        staff appointed as TMs are able to effectively manage work under CISSCO.\n\n        We also examined whether the Agency has evaluated the effectiveness of its\n        arrangement with GSA/FEDSIM. We found that the Agency has not formally\n        evaluated the performance or effectiveness of GSA/FEDSIM\xe2\x80\x99s involvement in the\n        CISSCO arrangement. As a result, we question whether the Agency has sufficient\n        assurance that it is effectively expending its resources on the GSA/FEDSIM\n        agreement.\n\n\n    1\n        The scope of this audit did not encompass the basis for the structure of the CISSCO\n        program. We are currently reviewing this issue and will report our findings at a later\n        date.\n    2\n        During our review, we also issued a report related to CISSCO funding procedures,\n        OIG/98A-18, Controls Over Funding for CISSCO Need Improvement, dated May 1999.\n\n        OIG/99A-13                                                                           Page i\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                Finally, in response to issues we raised during our review, the Office of\n                Administration formed a task group to develop guidance on the award and\n                administration of NRC\xe2\x80\x99s Interagency Agreements, including interagency\n                arrangements such as that with GSA/FEDSIM. Also, OCIO officials, in a recent\n                meeting with our office, committed to performing the evaluations of GSA/FEDSIM\n                suggested by NRC Management Directive (MD) 11.1 and to ensuring compliance\n                with the new MD covering interagency agreements.\n\n                This report makes three recommendations to improve the program.\n\n\n\n\n                OIG/99A-13                                                               Page ii\n\x0c                                                     Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\nTABLE OF CONTENTS\n\n\n        REPORT SYNOPSIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n        INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n                  BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n        RESULTS OF AUDIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n                  SOME RISKS HAVE NOT BEEN ADEQUATELY ADDRESSED . . . . . . . . . . . . . . . . 3\n                             PROPOSED RISK MITIGATORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n                             COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n                                        INDEPENDENT GOVERNMENT COST ESTIMATES . . . . . . . . . . . 6\n                                        NEGOTIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n                                        INDICATIONS OF HIGH COSTS . . . . . . . . . . . . . . . . . . . . . . . . . 7\n                             QUALITY ASSURANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8\n                  TASK MANAGERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n                  NRC DOES NOT FORMALLY EVALUATE THE EFFECTIVENESS OF\n                  USING GSA/FEDSIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n                  MANAGEMENT ACTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n        CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n        RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14\n        OIG COMMENTS ON THE AGENCY\xe2\x80\x99S RESPONSE . . . . . . . . . . . . . . . . . . . . . 14\n\n        APPENDICES\n                 I           OBJECTIVES, SCOPE, AND METHODOLOGY\n                II           CISSCO PROGRAM SURVEY RESULTS\n                III          ABBREVIATIONS AND ACRONYMS\n               IV            AGENCY RESPONSE TO DRAFT REPORT\n                V            NRC ORGANIZATIONAL CHART\n               VI            MAJOR CONTRIBUTORS TO THIS REPORT\n              VII            OFFICE OF THE INSPECTOR GENERAL PRODUCTS\n\n\n\n\n        OIG/99A-13\n\x0c                                         Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\nINTRODUCTION\n\n         The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) primary vehicle for the development,\n         operation, maintenance, and support of the Agency\xe2\x80\x99s information technology\n         systems and for related operations support is called the Comprehensive Information\n         Systems Support Consolidation (CISSCO) program. In June 1998, the Office of\n         the Inspector General (OIG) performed a survey of the CISSCO program, with\n         regards to Clinger-Cohen Act(1) requirements, that raised questions about the\n         adequacy of related management controls. As a result, we initiated a review of\n         NRC\xe2\x80\x99s controls over the use of resources applied to work performed under\n         CISSCO. During our review, we also issued a report related to CISSCO funding\n         procedures.(2)\n\n         The main objectives of this review were to determine, with regard to CISSCO,\n         whether: (1) NRC is ensuring that (a) projects are completed at a reasonable cost,\n         (b) quality assurance measures are adequate, and (c) products are received in a\n         timely manner; and (2) NRC is evaluating the effectiveness of using the Federal\n         Systems Integration and Management Center of the General Services\n         Administration (GSA/FEDSIM). Appendix I contains information about our\n         objectives, scope, and methodology. Also, as part of this effort, we obtained the\n         opinions of a large number of personnel associated with the CISSCO program and\n         developed a Survey instrument which was administered to 121 individuals.\n         Appendix II contains additional information about the CISSCO Program Survey.\n         This effort was part of OIG\xe2\x80\x99s fiscal year (FY) 1998 Annual Plan.\n\n    BACKGROUND\n\n         One of NRC\xe2\x80\x99s long-term goals in the FYs 1994-1998 Information Technology (IT)\n         Strategic Plan was to implement an open systems client/server environment for the\n         development, integration, and full life cycle management of new application systems\n         and the re-engineering, maintenance, or enhancement of previously developed\n         systems. In 1994, the Office of the Chief Information Officer (OCIO)(3) was tasked\n         to help integrate the Agency\xe2\x80\x99s numerous computer systems efforts into one\n         contract. In order to achieve the goals of the IT Strategic Plan, OCIO needed to\n         provide: agency-wide application development and support tools; training and\n         technical support to assist their customers in re-engineering their applications; and,\n         contractor support working directly with their customers to best serve their needs.\n\n\n\n    1\n         The Clinger-Cohen Act of 1996 sets forth requirements for the Government\xe2\x80\x99s acquisition\n         of information technology.\n\n    2\n         OIG/98A-18, Controls Over Funding for CISSCO Need Improvement, dated May 1999.\n    3\n         In October 1997, the Office of Information Resources Management was incorporated\n         into OCIO. Both offices will be referred to as OCIO throughout this report.\n\n         OIG/99A-13                                                                         Page 1\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                OCIO chose to provide that support through a program it termed CISSCO. CISSCO\n                consists of a single contractor, using several subcontractors, to provide a wide-\n                range of services for the development, operation, maintenance, and support of\n                applications software systems and for related operations support.(4)\n\n                In addition, one of the Agency\xe2\x80\x99s IT objectives was to bring the development, life\n                cycle management, and operations of systems within a framework of standards and\n                consistent methodologies. To that end, OCIO developed the System Development\n                and Life-Cycle Management (SDLCM) Methodology to provide structure and\n                guidance to NRC IT projects through the use of a comprehensive and consistent\n                methodology.\n\n                In July 1995, NRC entered into a Basic Agreement (BA) (5) with GSA/FEDSIM to\n                provide assistance in developing the acquisition strategy to procure the services\n                required under CISSCO. In January 1996, OCIO made the decision to employ\n                GSA/FEDSIM, rather than NRC\xe2\x80\x99s own procurement office, to provide dedicated\n                Contract Office support for CISSCO through the use of its FEDSIM 9600 multiple\n                award contract (MAC). In June 1996, NRC modified the BA to retain\n                GSA/FEDSIM\xe2\x80\x99s services for a 5-year period. Subsequently, in August 1996,\n                GSA/FEDSIM engaged Computer Sciences Corporation (CSC) as the prime\n                contractor for meeting the needs of CISSCO. Therefore, there are two agreements\n                connected to CISSCO work: (1) the BA with GSA/FEDSIM which included\n                identifying and selecting CSC, and now includes the ongoing monitoring of CSC;\n                and, (2) GSA/FEDSIM\xe2\x80\x99s Task Order with CSC to perform information technology\n                work required by NRC under CISSCO.(6)            The BA is a time and materials\n                agreement and the GSA/FEDSIM Task Order with CSC is a cost-reimbursable\n                arrangement with limited firm-fixed price work. In a cost-reimbursable arrangement,\n                the actual costs to NRC will be based on CSC\xe2\x80\x99s resources actually expended which\n                can differ from its initial estimates.\n\n                The GSA/FEDSIM Task Order with CSC is for one Base year, with four Option\n                years. The third Option year has been exercised. The initial projected cost of the\n                full 5-year contract was $46.5 million and, through September 1999, NRC has\n                expended about $29 million on work under CISSCO.\n\n\n\n\n        4\n                The agency has made it mandatory that CISSCO be considered for all appropriate IT\n                work. However, the CIO can grant a waiver to use another contract arrangement. To\n                date, only a few such waivers have been given.\n        5\n                For the purposes of the CISSCO program, the term Basic Agreement is synonymous\n                with Interagency Agreement.\n        6\n                The scope of this audit did not encompass the basis for the structure of the CISSCO\n                program. We are currently reviewing this issue and will report our findings at a later\n                date.\n\n                OIG/99A-13                                                                          Page 2\n\x0c                                          Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nRESULTS OF AUDIT\n\n          By obtaining a contractor through the FEDSIM 9600 MAC, the Agency is provided\n          a level of assurance that the selected contractor will provide quality IT products and\n          services in a timely manner. In general, we found that, although improvements can\n          be made, the Agency has provided further assurance of quality through its\n          implementation of SDLCM and CSC\xe2\x80\x99s adherence to that methodology. We also\n          found that CSC has generally met proposed schedules for product and service\n          delivery and that Agency staff have few concerns in this area.\n\n          In contrast, we found that, even though the FEDSIM 9600 MAC established ceilings\n          for labor rates, NRC is not provided the same degree of assurance with regard to\n          CISSCO costs. This is due largely to the Agency\xe2\x80\x99s decision to have all work\n          performed by a single contractor. We determined that the Agency has not\n          adequately addressed the cost risks associated with this arrangement.\n\n          In addition, we found that more than 150 Agency staff could be assigned CISSCO\n          Task Manager (TM) duties. We also found that the skills and experience levels of\n          TMs vary widely and that many do not feel sufficiently trained to effectively manage\n          IT work. In our opinion, assigning TM duties to such a large number of individuals,\n          with widely varying levels of skills and experience, may not be the most efficient or\n          effective method for managing CISSCO work. We believe that the Agency should\n          identify the skills needed to successfully accomplish TM duties, and ensure that\n          staff assigned TM duties are able to effectively manage work under CISSCO.\n\n          Also, we found that the Agency has not formally evaluated the performance or\n          effectiveness of GSA/FEDSIM\xe2\x80\x99s involvement in the CISSCO arrangement. As a\n          result, we question whether the Agency has sufficiently assured the efficient use\n          of resources expended on CISSCO-related products and services.\n\n          In addition to our main objectives, our review encompassed a number of additional\n          CISSCO activities. To that end, we determined that (1) CSC\xe2\x80\x99s charges for the cost\n          of estimates are allowable, (2) CSC appropriately bills for employees not on the\n          dedicated CISSCO team, and (3) CSC employees not on the dedicated CISSCO\n          team are correctly accounted for in Small Business reports.\n\n\n    SOME RISKS HAVE NOT BEEN ADEQUATELY ADDRESSED\n\n          As part of our review, we examined proposed risk mitigators, the reasonableness\n          of CISSCO costs, and the Agency\xe2\x80\x99s efforts with quality assurance. The Federal\n          Acquisition Regulation (FAR) states that, prior to entering into a contract for\n          information technology, an agency should analyze risks, benefits, and costs. The\n          CISSCO strategy raised a number of risk concerns which OCIO asserted would be\n          addressed by risk mitigators incorporated into the program. However, we found that\n          many of the proposed mitigating controls are not in place and that NRC has not\n\n\n\n          OIG/99A-13                                                                         Page 3\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                sufficiently assured the reasonableness of CISSCO costs. We also believe the\n                Agency can more proactively ensure the efficient expenditure of resources for\n                quality assurance.\n\n                PROPOSED RISK MITIGATORS\n\n                Prior to the Agency\xe2\x80\x99s selection of the single contractor approach for CISSCO, the\n                Office of Administration\xe2\x80\x99s Division of Contracts and Property Management\n                (ADM/DCPM) identified several risk areas related to the CISSCO arrangement.\n                OCIO responded that risk mitigators incorporated into CISSCO would safeguard\n                against the identified risks. However, we found that OCIO has discontinued, or in\n                some instances, never implemented a number of the proposed controls.\n\n                As stated above, OCIO assessed the risk areas identified by DCPM prior to\n                CISSCO\xe2\x80\x99s implementation and concluded that CISSCO would not pose an\n                unacceptable level of risk to the Agency. OCIO supported its conclusion by\n                proposing that a number of risk mitigators would be incorporated into CISSCO,\n                including:\n\n                1.      NRC staff would review, approve, and authorize all work.\n\n                2.      NRC and GSA/FEDSIM would develop the Independent Government Cost\n                        Estimate (IGCE).\n\n                3.      An NRC contract management team would be solely dedicated to CISSCO.\n\n                4.      An NRC Senior Management Team would provide periodic reviews of\n                        CISSCO project management.\n\n                5.      An independent validation and verification (IV&V) contractor would assist\n                        OCIO\xe2\x80\x99s program director in reviewing contractor technical proposals, as well\n                        as auditing the work performed under the FEDSIM contract [a cost control].\n\n                6.      All CISSCO Task Managers would receive specialized program\n                        management training.\n\n                7.      All CISSCO requirements would not be completed under just one task\n                        order; several task orders were anticipated with technical oversight provided\n                        by the \xe2\x80\x9cprime\xe2\x80\x9d task order awardee.\n\n                A GSA/FEDSIM official told us that he understood that the CISSCO approach to\n                cost control was to be based on an IV&V contractor. He also stated that managing\n                costs for individual tasks (monitored through individual Task Assignment Control\n                (TAC) numbers) hinged on the expertise and control of the TMs.\n\n\n\n\n                OIG/99A-13                                                                     Page 4\n\x0c                                      Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n    In addition, FAR requires that interim evaluations be performed on multi-year\n    contracts greater than $100,000. In our opinion, these evaluations would provide\n    valuable information about CSC performance. Under CISSCO, GSA/FEDSIM would\n    perform such evaluations.\n\n    The CISSCO concept was approved by NRC senior management based, in part,\n    on the risk mitigators proposed by OCIO. However, we found that, although NRC\n    staff review and approve all work, many of the other proposed control features were\n    not implemented. For example (as numbered above):\n\n    2.      GSA/FEDSIM is not involved in preparing IGCEs.(7)\n\n    4.      An Executive Oversight Team was formed and held two meetings in the\n            early stages of CISSCO\xe2\x80\x99s implementation. However, this team was\n            disbanded by the Chief Information Officer (CIO) who determined that the\n            additional management oversight was no longer needed.\n\n    5.      Although an IV&V contract was placed, the contract was canceled by the\n            CIO due to budget considerations and his opinion that his staff could\n            adequately oversee the CISSCO program.\n\n    6.      Training for CISSCO TMs consists of two overview courses: one 2\xc2\xbd-hour\n            class on CISSCO procedures, one 4-hour class on SDLCM. Although these\n            courses meet the intent of the agreement to provide specialized training,\n            neither course addresses the preparation of IGCEs or Statements of Work\n            (SOW).\n\n    7.      All CISSCO requirements have been addressed with one Task Order.\n\n    Additionally, although GSA/FEDSIM was to provide third-party objectivity with\n    unbiased, independent reviews under CISSCO, we found that GSA/FEDSIM relies\n    almost solely on feedback from NRC TMs to gauge CSC work. We also determined\n    that GSA/FEDSIM has not performed the evaluations noted in FAR.\n\n    COSTS\n\n    The GSA/FEDSIM 9600 MAC Task Order Contract with CSC resulted from\n    competition and established ceiling rates for CSC hourly labor. However, the\n    overall cost of non-fixed fee projects is dictated not by the labor rate but by the\n    hours worked plus fees and other direct and indirect costs. Costs are also affected\n    by the skill levels of contractor personnel, contractor personnel turnover, and the\n    contractor\xe2\x80\x99s work processes, among other things.\n\n\n\n\n7\n    Although it was expected that GSA/FEDSIM would perform this duty, a GSA/FEDSIM\n    official told us that given that the agreement with NRC is a time and materials contract,\n    they will only carry out these duties at NRC\xe2\x80\x99s request.\n\n    OIG/99A-13                                                                           Page 5\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                In our opinion, the use of a single contractor and the absence of many of the\n                proposed risk mitigators makes the effective use of existing cost controls even more\n                crucial. In addition, more than 20 percent of CISSCO work is performed by\n                subcontractors and other CSC units not subject to the labor rates set in FEDSIM\n                9600. To that end, we reviewed CISSCO IGCEs to determine their effectiveness\n                in planning and subsequent negotiation. We found that the IGCEs are ineffective\n                as a cost control and that CSC estimates are generally non-negotiable.\n\n                Independent Government Cost Estimates\n\n                FAR states that \xe2\x80\x9ca cost is reasonable if, in its nature and amount, it does not exceed\n                that which would be incurred by a prudent person in the conduct of competitive\n                business. Reasonableness of specific costs must be examined with particular care\n                in connection with firms or their separate divisions that may not be subject to\n                effective competitive restraints. No presumption of reasonableness shall be\n                attached to the incurrence of costs by a contractor.\xe2\x80\x9d\n\n                The IGCE is the Government\xe2\x80\x99s estimate of the resources, and the estimated cost\n                of resources, a prudent contractor will incur in the performance of a contract. The\n                IGCE is used to evaluate proposals to determine whether price or expected cost is\n                fair and reasonable. The quality and price of an acquisition is dependent on the\n                accuracy and reliability of the IGCE. Variations between the contractor\xe2\x80\x99s proposal\n                and the IGCE require analysis since parts of the IGCE, especially first time\n                acquisitions, are based on uncertainties. Knowing where these uncertainties exist\n                allows the IGCE to be a useful tool in the evaluation process and in the\n                determination of a fair and reasonable price. Department of Defense training\n                documents describe the IGCE as one of the most important factors to be\n                considered in making mandatory determination that the proposed contract price is\n                fair and reasonable.\n\n                The NRC CISSCO Task Management Guide states that the IGCE (1) provides a\n                guide to fair and reasonable pricing, (2) is used to evaluate cost realism and the\n                underlying cost assumptions of the contractor\xe2\x80\x99s response, and (3) establishes a\n                basis for reasonable negotiations. Additionally, according to Agency project\n                manager training material, a well-written SOW is crucial to developing a useful\n                IGCE, and also serves as a standard to judge the efficiency of contractor\n                performance.\n\n                After receiving CSC\xe2\x80\x99s response to a work request, NRC personnel compare the\n                dollar amount estimated by CSC to the IGCE. Any sizeable differences would\n                indicate that there might be a misunderstanding of the work requirements or in the\n                scope of the requested work; a difference might also indicate an error in the\n                contractor\xe2\x80\x99s proposed cost. In order to be effective, an IGCE should closely reflect\n                the probable actual cost of the project. After comparing the IGCE to the CSC\n                estimate, NRC personnel can negotiate with CSC on the cost and scope of the\n                TAC.\n\n                In order to gain an understanding of the effectiveness of CISSCO IGCEs, we\n\n                OIG/99A-13                                                                      Page 6\n\x0c                                    Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n    analyzed data from the CISSCO TAC System (CTACS).(8) CTACS contains both\n    the NRC estimate amounts (IGCEs) and the estimates submitted by CSC with its\n    written response to NRC work requests. Based on our analysis, only 43 percent of\n    CISSCO IGCEs are within 25 percent of the CSC-proposed cost. Because the\n    IGCEs generally differ significantly from the accepted costs for a project, we believe\n    they are not fully effective for planning and budgeting purposes. In addition, IGCEs\n    are not useful in negotiations (see next section).\n\n    To be an effective cost control, IGCEs must be prepared independently. However,\n    TMs told us that in order to have the appropriate amount of funds set aside, they\n    adjust their IGCEs to try to get closer to what they anticipate CSC\xe2\x80\x99s estimates will\n    be (despite the differences noted above). Given this, we question whether IGCEs\n    are being prepared independently as intended. Therefore, they will have little, if\n    any, effect on ensuring the reasonableness of CISSCO costs. Furthermore, we\n    found that GSA/FEDSIM does not receive or review IGCEs, thereby eliminating any\n    contracting office insight.\n\n    Negotiations\n\n    Prior to submitting a work request to CSC, the Agency prepares an SOW and an\n    IGCE which are to be used as the basis for negotiating a final price and scope with\n    CSC, if necessary. After receiving the CSC proposal, Agency personnel\n    presumably would negotiate with CSC on these details. However, NRC Task\n    Managers told us that CSC\xe2\x80\x99s proposed costs for a TAC are generally non-\n    negotiable. Task Managers also told us that the only method for reducing costs is\n    to reduce the scope of the requested work. CSC officials confirmed this. Once\n    CSC has constructed its cost estimate, it does not lower that estimate except with\n    an associated agreement to reduce the level of effort.\n\n    Indications of High Costs\n\n    In a non-competitive situation, it is very difficult to directly evaluate the\n    reasonableness of the cost of a project. However, TMs identified several TACs that\n    raise questions regarding CISSCO costs, including the following two examples:\n\n    C       The cost of a TAC to provide an update to a database for annual changes\n            to budget tracking software was about $12,800 for FY 1997. The same\n            work for FY1998, based essentially on a copy of the FY 1997 SOW, cost\n            about $32,580.\n\n\n\n\n8\n    CTACS is the system used by NRC and CSC CISSCO program staff to track data on\n    individual TACs.\n\n    OIG/99A-13                                                                         Page 7\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                \xe2\x80\xa2       A TAC was issued to create an interface utility program, which would allow\n                        the conversion and transporting of data between two systems. CSC\'s\n                        estimate for the work was $10,977. The program office declined CSC\xe2\x80\x99s\n                        proposed cost and subsequently issued the identical SOW to an outside\n                        contractor which completed the work within 2 weeks for $900.(9) The\n                        program office stated that they received a quality product.\n\n                In addition, the Agency has created at least one agreement outside of CISSCO\n                designed to complete work on smaller-scale systems. Some work of this type is\n                also performed in-house to overcome inefficiencies in getting smaller types of jobs\n                completed under CISSCO. We found that about one-third of CISSCO tasks cost\n                less than $10,000. This indicates that the Agency might benefit further from\n                addressing potential inefficiencies in performing the large number of smaller tasks\n                being conducted under CISSCO.\n\n                Costs were the main concern of respondents to our CISSCO Program Survey. They\n                said they feel that costs under CISSCO are commensurate with work completed\n                between \xe2\x80\x9chalf\xe2\x80\x9d and \xe2\x80\x9cmost\xe2\x80\x9d of the time, a low score in our opinion. In addition, more\n                than 70 percent of the respondents indicated that competition would benefit the\n                Agency in controlling costs.\n\n                Senior CISSCO program officials told us they are confident, based on personal\n                experience and the lack of evidence to the contrary, that CSC costs are reasonable.\n                Therefore, they do not believe that it would be cost-beneficial to test the\n                reasonableness of CSC costs. At the same time, according to these officials, it is\n                the CISSCO TMs who have the ultimate responsibility for assessing and ensuring\n                the reasonableness of costs. However, according to our Survey, 82 percent of\n                TMs indicated that they did not feel they have adequate control over costs under\n                CISSCO.\n\n                QUALITY ASSURANCE\n\n                According to CISSCO program officials, quality assurance (QA) is the responsibility\n                of CSC and they believe that CSC is adequately ensuring the quality of its products\n                and services through its internal QA efforts. We examined the Agency\xe2\x80\x99s efforts to\n                ensure the quality of products and services delivered under CISSCO. We found\n                that NRC relies on CSC\xe2\x80\x99s compliance with SDLCM, CSC\xe2\x80\x99s CISSCO Quality\n                Assurance Plan (QA Plan), and on TM feedback to ensure quality. Respondents\n                to our Survey, including TMs, said they were satisfied with the quality of CSC\n                products \xe2\x80\x9cmost of the time.\xe2\x80\x9d However, we also found that much QA documentation\n                is being produced by CSC, per their CISSCO QA Plan, that is not being reviewed\n                by either GSA/FEDSIM or NRC personnel. As a result, we believe the Agency\n                cannot ensure that resources directed toward QA are being used efficiently.\n\n                FAR defines Government contract QA as the various functions, including\n\n\n        9\n                The Agency also paid approximately $1,969 to CSC for the cost of the estimate.\n\n                OIG/99A-13                                                                       Page 8\n\x0c                                      Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n      inspections, performed by the Government to determine whether a contractor has\n      fulfilled the contract obligations pertaining to quality and quantity. The contracting\n      office is responsible for developing and applying efficient procedures for performing\n      Government contract QA actions under the contract; performing all actions\n      necessary to verify whether the supplies or services conform to contract quality\n      requirements; and maintaining suitable records reflecting the nature of Government\n      contract QA actions. In addition, the contracting office is responsible for\n      recommending any changes necessary to the contract, specifications, instructions,\n      or other requirements that will provide more effective operations or eliminate\n      unnecessary costs.\n\n      Under the Task Order agreement with GSA/FEDSIM, CSC is given responsibility\n      for overall QA. However, the agreement also states that Government QA will be\n      conducted throughout the CISSCO program to verify that all contractor delivered\n      products and services conform to the requirements of the Basic Agreement\n      between GSA/FEDSIM and NRC, the Task Order with CSC, and the standards and\n      established methodologies for IT development.\n\n      According to the NRC CISSCO Task Manager Guide, the CISSCO Program\n      Management team includes Task Area Leads, who have specific responsibilities for\n      QA and quality control, and TMs, who are responsible for ensuring that TACs are\n      completed with quality through monitoring of contractor performance. However, we\n      found that neither GSA/FEDSIM, the contracting office, nor NRC are examining\n      CSC\xe2\x80\x99s work performed under its QA Plan.\n\n      In our opinion, the Agency should be more proactive to ensure that QA efforts are\n      both effective and efficient. Without sufficient review and monitoring of CSC\xe2\x80\x99s QA\n      efforts, specifically the QA Plan, the Agency cannot be sure that it is expending its\n      resources efficiently. As suggested by FAR, we believe that surveillance, for\n      example, of CSC QA activity, is a proactive measure that can ensure not only that\n      quality is built into this work but also that excessive or unnecessary QA costs are\n      not incurred. Such proactive effort is less costly than attempting to inspect for\n      quality after work is completed (e.g., through TM feedback). We also believe that\n      NRC should ensure the performance of sufficient monitoring so that it can\n      effectively, as indicated by FAR, recommend any changes necessary to the\n      contract, specifications, instructions, or other requirements that will provide more\n      effective operations or eliminate unnecessary costs.\n\nT ASK MANAGERS\n\n      CISSCO Task Managers play a significant role in the evaluation and assessment\n      of the cost, quality, and timeliness of CISSCO IT services and products. OCIO\n      senior managers and CISSCO program officials told us that TMs are responsible,\n      and accountable, for these details for each TAC they manage. We found that the\n      skills and experience levels of TMs under CISSCO vary widely, and that many of\n      these TMs do not feel sufficiently trained to effectively manage IT work. We found\n      that more than 150 staff could, at some point, be given the responsibility of\n      managing CISSCO TACs. We believe that assigning task management duties to\n\n      OIG/99A-13                                                                         Page 9\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                such a large number of TMs, with widely varying levels of skills and experience, may\n                not be the most efficient or effective method for managing CISSCO work.\n\n                Management Directive (MD) 10.77, Employee Development and Training, states\n                that NRC\xe2\x80\x99s objectives are to provide training and development programs for\n                employees to maintain the skills needed to perform their current job effectively, and\n                to broaden their capabilities to meet future skill needs of the Agency. The MD also\n                states that it is the responsibility of the Office of Human Resources (HR) to\n                establish, operate, maintain and evaluate nontechnical training programs to improve\n                individual and organizational performance in support of accomplishing the mission\n                of the Agency. According to the MD, Office Directors are to periodically provide\n                forecasts of training needs to the Director, HR, and Line Managers and Supervisors\n                are required to meet at least semiannually with staff to ensure that all are qualified\n                to perform assigned tasks.\n\n                According to the NRC CISSCO Task Manager Guide and CISSCO program\n                officials, TMs are responsible for ensuring that TACs are completed with quality, on\n                schedule, and within budget through monitoring of contractor performance. Also,\n                as previously stated, GSA/FEDSIM relies on feedback from TMs to gauge CSC\n                work. In other words, TMs are relied upon to provide assessments of the quality of\n                work performed by CSC and the reasonableness of the cost of that work. However,\n                we found that many TMs do not feel they have been sufficiently trained to properly\n                plan or manage CISSCO work. In addition, CISSCO program officials told us that\n                the TMs, especially those not in OCIO, may lack the IT knowledge and experience\n                necessary to manage IT work.\n\n                In order to understand the experience levels of TMs under CISSCO, we reviewed\n                data regarding the TACs they manage. The results are shown in Table 1.\n\n\n                Table 1: Number of TACs Managed by TMs\n\n                 Number           Number of         Percent of      Total Number           Percent of Total\n                 of TACs          TMs               TMs             of TACs                Number of TACs\n                 Managed          (61 total)           (%)          (of 275 total)               (%)\n                             >3                20             33                     203                74\n                              3                 9             15                      27                10\n                              2                13             21                      26                  9\n                              1                19             31                      19                  7\n\n                 TOTALS                        61           100%                     275              100%\n\n                Source: OIG analysis of CTACS data as of September 9, 1999\n\n\n\n\n                OIG/99A-13                                                                            Page 10\n\x0c                                    Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nAs shown in the table, 74 percent of these TACs were managed by only 33 percent\nof the Task Managers (those who have managed more than 3 TACs). The\nremaining 26 percent were managed by 67 percent of the TMs (those who have\noverseen three or fewer TACs). That is, a large number of TMs are managing very\nfew TACs. Table 2 shows a breakdown by NRC program office.\n\n\nTable 2: Number of TACs Managed by TMs by Office\n\n Program            Number of          Percent of            Number of       Percent of\n Office             TMs                TMs (%)               TACs (of 275    TACs (%)\n                    (61 total)                               total)\n\n OCIO                             29                 48                186                68\n\n Non-OCIO                         32                 53                 89                32\n\nSource: OIG analysis of CTACS data as of September 9, 1999\n\n\n\nThis data shows that most non-OCIO TMs are doing very few TACs, which could\nresult in their having greater difficulty in effectively managing work. As shown\nabove, 32 percent of TACs are managed by non-OCIO TMs. Further analysis\nrevealed that about one third of the 89 TACs shown are managed by just two of the\n32 non-OCIO TMs. A senior CISSCO program official agreed with this assessment\nand noted that non-OCIO TMs may not possess the IT experience needed to\neffectively manage TACs. In fact, according to our CISSCO Program Survey, 41\npercent of all responding TMs said that they were not sufficiently familiar with the\nAgency\xe2\x80\x99s IT architecture, and planned changes to the architecture, to effectively\nplan or manage IT work.\n\nAs stated earlier in this report, IGCEs need to be accurate and reliable in order to\nassess the quality and costs of acquisitions. A well-written SOW is crucial to\ndeveloping a useful IGCE. However, 40 percent of the TMs who responded to our\nCISSCO Program Survey indicated that they had not received sufficient training and\nguidance in preparing IGCEs. In addition, 28 percent of the responding TMs\nindicated they had not received sufficient training in preparing SOWs. In our\nopinion, the Agency needs to ensure that all personnel charged with the important\nresponsibilities of planning, managing, and assessing work under CISSCO have the\nappropriate skills needed to carry out their assigned duties.\n\nAs of February 15, 2000, there have been 66 TMs who have managed TACs.\nHowever, according to OCIO figures, more than 150 NRC staff have been certified\nby OCIO to be CISSCO TMs by completing the two required CISSCO training\ncourses.       Given this large number of staff who could be assigned TM\nresponsibilities, and the varying levels of their skills and experience, we question\nwhether this is the most efficient and effective method for managing CISSCO work.\n\n\nOIG/99A-13                                                                            Page 11\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n        NRC DOES NOT FORMALLY EVALUATE THE EFFECTIVENESS OF USING GSA/FEDSIM\n\n                NRC\xe2\x80\x99s Management Directive system provides guidance for Agency procurement\n                actions. As we note below, the Agency is currently developing new guidance for\n                interagency agreements that will supplement existing directives. Existing guidance\n                suggests that the Agency conduct annual evaluations for certain, larger dollar\n                procurement agreements. In our opinion, such evaluations are part of good\n                business practices. These evaluations, and contractor comments in response,\n                would be used to discuss contractor performance and customer satisfaction, and\n                provide information to other Federal agencies seeking input on contractors\xe2\x80\x99\n                performance while doing business with NRC. Such evaluations also provide current\n                information to NRC Source Evaluation Panels, and other Federal agencies as\n                requested, for source-selection purposes. In our opinion, performance evaluations\n                also provide supporting justification for exercising option years of multi-year\n                agreements.\n\n                In a March 1996 memorandum to the Chairman, the Executive Director for\n                Operations stated that the use of GSA/FEDSIM would provide NRC with technical\n                expertise; timely, value-added acquisitions; and third party objectivity with unbiased,\n                independent reviews. In addition, in a May 1996 memorandum acknowledging the\n                use of GSA/FEDSIM for systems integration, the Chairman cautioned the NRC staff\n                to ensure that the interagency agreement be crafted to ensure timeliness and level\n                of expertise commitments from GSA/FEDSIM. The Chairman added that the staff\n                should ensure that NRC objectives have been satisfactorily addressed in the first\n                year of CISSCO implementation before longer term commitments under the\n                interagency agreement were made. We believe such expectations should be\n                included in evaluations of performance.\n\n                We found that OCIO has not conducted formal evaluations of GSA/FEDSIM\xe2\x80\x99s\n                performance. Currently, OCIO informally assesses GSA/FEDSIM\xe2\x80\x99s performance\n                through daily interaction, periodic meetings, and ad hoc reports which keep OCIO\n                informed of issues within the program. The NRC\xe2\x80\x99s CISSCO Program Director\n                believes this evaluation method is sufficient and maintains no documentation of this\n                evaluation. We believe that, without the support of formal evaluations, the Agency\n                cannot be sufficiently assured that it is making effective use of its resources in\n                continuing the agreement with GSA/FEDSIM.(10)\n\n        MANAGEMENT ACTIONS\n\n                In response to OIG concerns, ADM has formed a task group to develop a\n                management directive and handbook on the award and administration of NRC\xe2\x80\x99s\n                Interagency Agreements. These documents will define the responsibilities of\n                Agency personnel working with interagency and international agreements, and will\n\n\n        10\n                We note that the charges to NRC under the Basic Agreement with GSA/FEDSIM rose\n                from an average of about $15,000 per month in FY 1998 to about $19,000 per month in\n                FY 1999 due to additional cost recovery fees imposed by GSA/FEDSIM.\n\n                OIG/99A-13                                                                      Page 12\n\x0c                                       Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n        contain procedures for administration of these agreements. The guidance will\n        address interagency arrangements, such as that with GSA/FEDSIM.\n\n\nCONCLUSIONS\n\n        The Agency has chosen to provide for many of its IT needs through an innovative\n        effort - CISSCO. In doing so, it hopes to avoid and correct past difficulties with\n        systems development and maintenance. Nonetheless, the Agency\xe2\x80\x99s contract\n        arrangement for CISSCO is of a type that places most of the risk for performance\n        on the Agency itself.\n\n        Based on our review, CSC generally appears to be providing products and services\n        that meet the Agency\xe2\x80\x99s quality guidelines (via SDLCM) within agreed-to delivery\n        dates. However, we believe that the Agency should be more proactive to ensure\n        that QA efforts are both effective and efficient. Without sufficient review and\n        monitoring of CSC\xe2\x80\x99s QA efforts, specifically the QA Plan, the Agency cannot be sure\n        that it is expending its resources efficiently.\n\n        We also believe that improvements are needed to effectively mitigate risks\n        associated with this contracting arrangement. In our opinion, the Agency has made\n        a presumption of reasonableness of cost without sufficient basis. We also found\n        that, although several features were originally incorporated into the CISSCO\n        concept to safeguard against identified risks, OCIO did not implement or continue\n        with a number of the proposed controls. We believe that the implementation of the\n        proposed risk mitigating features could have addressed the vulnerabilities related\n        to costs in this type of contract arrangement.\n\n        Furthermore, in both our CISSCO Program Survey and in interviews, we found that\n        cost is the main concern of those involved with CISSCO. Given the single-\n        contractor arrangement, we believe that NRC has not provided sufficient assurance\n        of the reasonableness of costs for work performed under CISSCO. Without\n        competition for NRC work, the use of the IGCE and any resulting negotiation\n        become the main avenue available to the Agency to provide assurance that costs\n        are reasonable. However, with a single contractor, the effective use of this tool\n        must be based on a demonstration that costs will generally be reasonable for work\n        performed. This assurance, normally provided by competition, can be provided by\n        other practices; for example, the use of an IV&V. Without such independent cost\n        assurances, the Agency must rely on other methods to provide assurance of the\n        reasonableness of costs. In our opinion, the Agency has not provided that\n        assurance for CISSCO. We also believe these cost control weaknesses are directly\n        related to the structure of the CISSCO program. As noted earlier, we plan to\n        explore this structure with additional work, the results of which may impact any\n        actions the Agency decides to take to provide adequate assurance of the\n        reasonableness of costs for work performed under CISSCO.\n\n        In addition, we believe that the Agency should reassess the decision to assign\n        CISSCO task management responsibilities to such a large number of individuals.\n\n        OIG/99A-13                                                                       Page 13\n\x0cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n                The Agency should also identify the skills needed to successfully accomplish TM\n                duties and ensure that staff appointed as TMs are able to effectively manage work\n                under CISSCO.\n\n                With regard to the Basic Agreement with GSA/FEDSIM, existing guidance suggests\n                that the Agency conduct annual evaluations for certain, larger dollar procurement\n                agreements. We believe that the informal evaluation of GSA/FEDSIM currently\n                being done does not satisfy this guidance. In our opinion, without a more rigorous\n                evaluation of GSA/FEDSIM\xe2\x80\x99s performance, the Agency cannot be assured that it is\n                effectively expending resources on this agreement.\n\n\n\nRECOMMENDATIONS\n\n                The Agency needs to ensure that its limited resources are used effectively and\n                efficiently. Because we plan to review the structure of the CISSCO program, we are\n                not making recommendations regarding the reasonableness of costs at this time.\n                To address the other areas discussed in this report, we recommend that the Acting\n                Chief Information Officer:\n\n                1.      Be more proactive in ensuring that CSC\xe2\x80\x99s efforts under its Quality\n                        Assurance Plan are an efficient use of Agency resources by, for example,\n                        performing a review of CSC\xe2\x80\x99s QA efforts on a semiannual basis.\n\n                2.      Work with the Executive Director for Operations to:\n\n                        (a) assess the effectiveness of assigning CISSCO task management\n                        responsibilities to such a large number of individuals, (b) identify the skills\n                        needed to successfully accomplish TM duties, and (c) ensure that personnel\n                        assigned as TMs are adequately prepared to carry out these responsibilities.\n\n                3.      Pending issuance of the new MD covering interagency agreements, conduct\n                        the annual, formal evaluations of the interagency agreement with\n                        GSA/FEDSIM suggested by NRC\xe2\x80\x99s MD 11.1.\n\n\nOIG COMMENTS ON THE AGENCY\xe2\x80\x99S RESPONSE\n\n                On March 6, 2000, the Acting Chief Information Officer, in coordination with the\n                Office of the Executive Director for Operations, responded to our draft report. They\n                agreed with our recommendations and provided time frames for the actions they\n                plan to take. We believe those actions will address the intent of our\n                recommendations. Also, based on discussions with OCIO officials, we have made\n                changes to the report where appropriate.\n\n\n\n\n                OIG/99A-13                                                                      Page 14\n\x0c                                                                                     Appendix I\n                                       Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\n        The main objectives of our audit were to determine, with regard to the Agency\xe2\x80\x99s\n        Comprehensive Information Systems Support Consolidation (CISSCO) program,\n        whether: (1) the Nuclear Regulatory Commission (NRC) is ensuring that\n        (a) projects are completed at a reasonable cost, (b) quality assurance measures are\n        adequate, and (c) products are received in a timely manner; and (2) NRC is\n        evaluating the effectiveness of using the General Services Administration\xe2\x80\x99s Federal\n        Systems Integration and Management Center (GSA/FEDSIM).\n\n        Additional objectives of our review were to determine whether: (1) Computer\n        Sciences Corporation (CSC) charges for estimates are allowable; (2) CSC\n        appropriately bills for employees not on the dedicated CISSCO team; and (3) CSC\n        employees not on the dedicated CISSCO team are being appropriately counted for\n        Small Business purposes. We focused on reviewing the management controls\n        associated with CISSCO and included all work performed under the contract from\n        inception to date. The scope of this audit did not encompass the appropriateness\n        of the CISSCO contractual arrangements. We are currently reviewing this issue\n        and will report our findings at a later date.\n\n        To accomplish our objectives, we reviewed the Agency\xe2\x80\x99s controls over costs, quality\n        assurance, and timeliness of product and service delivery. We interviewed CISSCO\n        program officials, GSA/FEDSIM officials, CSC officials, and other NRC personnel\n        involved with CISSCO. We also held discussions with the U.S. Agency for\n        International Development, an Agency using a similar IT acquisition approach\n        through the GSA/FEDSIM information technology vehicle, and with the Office of\n        Federal Procurement Policy which provides guidance related to the use of Multiple\n        Award Contracts.\n\n        In addition, we analyzed the Agency\xe2\x80\x99s Basic Agreement with GSA/FEDSIM and\n        GSA/FEDSIM\xe2\x80\x99s contract with CSC. We reviewed the Federal Acquisition\n        Regulation and NRC\xe2\x80\x99s Management Directives for associated requirements. We\n        also examined data from the CISSCO TAC System that is used to track work under\n        CISSCO and reviewed documentation for a number of CISSCO work orders.\n\n        Because of the importance of CISSCO, we decided to obtain the opinions of a large\n        number of associated individuals over a broader subject matter and developed a\n        Survey instrument that was sent to approximately 120 persons who have worked\n        with CISSCO. Those responses are included in the report where appropriate and\n        are further presented in Appendix II.\n\n        We evaluated the relevant management controls over work performed under\n        CISSCO and conducted our audit from April 1999 through October 1999 in\n        accordance with generally accepted Government auditing standards.\n\n\n        OIG/99A-13                                                                    Page 1 of 1\n\x0c                                                                                      Appendix II\n                                        Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nCISSCO PROGRAM SURVEY RESULTS\n\n        In order to obtain the views and opinions of a large number of those involved with\n        the CISSCO program over a broad range of topics, we determined that a Survey\n        instrument would best serve our needs. Based on interviews with CISSCO officials,\n        Task Managers, others associated with the program, and on research into similar\n        questionnaires, a pretest version of the Survey instrument was developed. This\n        version was tested with a group of 14 volunteers from among those working with the\n        program. We then discussed the results of the pretest with each volunteer.\n\n        Survey questions were finalized based on the input of the pretest group and on\n        reviews performed by senior Office of the Chief Information Officer officials. Survey\n        questions were grouped in the categories of (1) cost, (2) schedule (timeliness), (3)\n        quality assurance, (4) customer satisfaction, and (5) personnel qualifications.(1) The\n        final Survey instrument was administered, with the support of the Acting Chief\n        Information Officer, to 121 individuals from August 9 through August 18, 1999. Of\n        the 121 employees asked to participate, 63 completed valid surveys for an overall\n        return rate of 52 percent. This return rate is more than sufficient to provide a\n        reliable and valid measure of the current views and opinions of those involved with\n        the CISSCO program.\n\n        Survey questions were of two types, scaled (Always to Never) and Yes/No. For\n        scaled questions, we calculated the average or mean response for all respondents\n        and for various demographic groups. For Yes/No questions, we calculated the\n        percentage responding Yes and No. We have incorporated results where relevant\n        in the body of this report.\n\n        This Appendix includes the overall results for the Survey. The results of our\n        analyses have been discussed with agency officials and may be used as\n        appropriate for other purposes. We provided agency officials with the raw data from\n        the Survey responses, with our analyses, and with the Survey instrument itself for\n        their future use, if appropriate.\n\n\n\n\n    1\n        The questions in the \xe2\x80\x9cpersonnel qualifications\xe2\x80\x9d category are entirely in the Yes/No\n        section. Because the Yes/No questions are a mix of all categories, this category does\n        not have a heading in the accompanying CISSCO Survey Results table.\n\n        OIG/99A-13                                                                     Page 1 of 5\n\x0cAppendix II\nReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\n                           CISSCO PROGRAM SURVEY RESULTS\n                                  SCALE                  ( ) = # of survey     COUNT OF          ALL\n                                                         respondents          PEOPLE WHO         (63)\n                                                                             RESPONDED TO\n                                                                                 EACH\n 1=always; 2=most of the time; 3=half of the time; 4=seldom;\n                                                                               QUESTION\n 5=never\n\n SCHEDULE                                                                    (excluding \xe2\x80\x9cNA\xe2\x80\x9d   AVERAGE\n                                                                                 or \xe2\x80\x9cDK\xe2\x80\x9d        SCALED\n                                                                                answers)\n                                                                                                SCORE\n 1.       Has CSC delivered your products or services within the agreed            56            2.3\n          upon delivery schedules?\n\n 2.       Are CSC\xe2\x80\x99s delivery schedules commensurate with the complexity            54            2.2\n          of your work?\n\n 3.       Do you participate in establishing delivery schedules with CSC?          52            2.3\n 4.       Are CSC monthly status reports detailed enough to help you               43            2.6\n          evaluate the project\xe2\x80\x99s progress against the established\n          schedule?\n\n 5.       Do you receive timely notification of any changes to the agreed          43            2.4\n          upon delivery schedules?\n\n 6.       Does CSC address the cause of schedule delays in a timely                45            2.4\n          manner?\n\n 7.       Do you review the causes of delivery schedule changes with               40            2.1\n          CSC to improve scheduling?\n\n 8.       Do you receive CSC monthly status reports within a useful time           40            2.5\n          frame?\n\n COST\n 9.       Do CSC\xe2\x80\x99s estimates contain sufficient information for you to             48            2.9\n          determine the reasonableness of their proposed costs?\n\n 10.      Do you document the reasons for differences between your IGCE            38            2.7\n          and CSC\xe2\x80\x99s proposed costs?\n\n 11.      Are discussions with CSC effective in reaching an agreement on           40            2.5\n          final cost estimates for a given task?\n\n 12.      Are costs under CISSCO commensurate with work completed?                 46            2.6\n 13.      Do you receive adequate support from your management in                  46            2.4\n          efforts to control costs?\n\n 14.      Are CSC monthly status reports sufficiently detailed to help you         43            3.0\n          evaluate the reasonableness of incurred costs?\n\n\n\n\n                 OIG/99A-13                                                                       Page 2 of 5\n\x0c                                                                                                    Appendix II\n                                                      Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\n                         CISSCO PROGRAM SURVEY RESULTS\n                                SCALE                  ( ) = # of survey      COUNT OF              ALL\n                                                       respondents           PEOPLE WHO             (63)\n                                                                            RESPONDED TO\n                                                                                EACH\n1=always; 2=most of the time; 3=half of the time; 4=seldom;\n                                                                              QUESTION\n5=never\n\n\nQUALITY\n15.     Do CSC project teams adequately understand your task                       53               2.2\n        requirements prior to beginning the work?\n\n16.     Do you get OCIO technical support when needed to accomplish                46               2.3\n        work under CISSCO?\n\n17.     Has CSC ensured that its work teams have the needed                        51               2.3\n        personnel to meet your requirements for a given task?\n\n18.     Are problems you have identified during the course of a task               47               2.1\n        recorded, tracked, and resolved by the end of the task?\n\n19.     Do CSC staff possess sufficient technical expertise to address             51               2.1\n        problems with your work requests?\n\n20.     Does CSC comply with your SOW requirements?                                48               1.8\n21.     Are you satisfied with the quality of CSC products?                        54               2.3\n22.     Has CSC complied with SDLCM requirements on your tasks?                    35               1.8\n23.     Can you obtain additional training, when needed, to improve your           30               2.0\n        proficiency in accomplishing work under CISSCO?\n\nCUSTOMER SATISFACTION\n24.     Do you receive adequate assistance from CISSCO program                     49               2.2\n        officials?\n\n25.     Do you receive adequate assistance from your ADD Business                  32               2.3\n        Area Team in performing work under CISSCO?\n\n26.     Are you able to effectively communicate with CSC about                     51               2.0\n        projects?\n\n27.     Are you satisfied with the IT products and services being                  53               2.3\n        delivered by CSC?\n\n28.     Are you satisfied with the maintenance and support provided by             48               2.3\n        CSC?\n\n29.     Does CISSCO meet your needs as an IT procurement strategy?                 52               2.5\n\n\n\n\n               OIG/99A-13                                                                            Page 3 of 5\n\x0cAppendix II\nReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\n                             CISSCO PROGRAM SURVEY RESULTS\n                                                                                COUNT OF      OVERALL\n                                                                               PEOPLE WHO       (%)\n   The following items are reported as percent                                 RESPONDED\n   responding Yes or No                                                          TO EACH\n                                                                                QUESTION\n\n                                                                                (excluding    YES   NO\n                                                                               \xe2\x80\x9cNA\xe2\x80\x9d or \xe2\x80\x9cDK\xe2\x80\x9d\n                                                                                 answers)\n\n   30.        Does the CISSCO process encourage you to report minor\n              problems before they become major problems?                          42         52    48\n   31.        Have CISSCO program officials requested your input to                53         34    66\n              assess your satisfaction with the program?\n\n   32.        Do you have sufficient opportunity to comment to CISSCO              47         68    32\n              program officials about CSC\xe2\x80\x99s performance?\n\n   33.        Do you believe that SDLCM is sufficiently flexible for your IT       42         41    59\n              needs?\n\n   34.        Have CISSCO processes changed to better meet your                    37         30    70\n              needs?\n\n   35.        Has the agency provided you with sufficient written guidance         49         71    29\n              for conducting work using CISSCO?\n\n   36.        Have you received sufficient training and guidance in                49         53    47\n              preparing IGCEs?\n\n   37.        Have you received sufficient training and guidance in                50         66    34\n              preparing SOWs?\n\n   38.        Do you feel you have received sufficient technical training to       49         71    29\n              be effective in working with IT projects?\n\n   39.        Are you sufficiently familiar with the agency\xe2\x80\x99s current IT           45         44    56\n              architecture, and planned changes to the architecture, to\n              effectively plan or manage IT work?\n\n   40.        Do you feel your responsibilities as a CISSCO Task                   45         60    40\n              Manager are well-defined?\n\n   41.        Do you feel your responsibilities as an IT Coordinator are           22         46    54\n              well-defined?\n\n   42.        Are you aware of the procedures to follow to use vendors             49         45    55\n              other than CSC for systems development, enhancement, or\n              maintenance?\n\n   43.        Would the CISSCO program benefit from having an in-house             37         73    27\n              contracting officer?\n\n\n\n\n                   OIG/99A-13                                                                       Page 4 of 5\n\x0c                                                                                                 Appendix II\n                                                   Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\n\n                     CISSCO PROGRAM SURVEY RESULTS\n                                                                         COUNT OF          OVERALL\n                                                                        PEOPLE WHO           (%)\nThe following items are reported as percent                             RESPONDED\nresponding Yes or No                                                      TO EACH\n                                                                         QUESTION\n\n                                                                         (excluding      YES       NO\n                                                                        \xe2\x80\x9cNA\xe2\x80\x9d or \xe2\x80\x9cDK\xe2\x80\x9d\n                                                                          answers)\n\n44.   Do you feel that you have adequate control over IT projects\n      performed under CISSCO in terms of:                                    49           33       67\n                                          cost?\n\n                                           quality?                          49           65       35\n                                           timeliness?                       51           53       47\n45.   Given the requirements of SDLCM, and the efforts to\n      integrate the agency\xe2\x80\x99s IT systems, do you believe that\n      allowing additional firms to compete for work currently\n      performed by CSC would benefit the agency in terms of:\n\n                                           cost?                             48           71       29\n\n                                           quality?                          46           67       33\n                                           timeliness?                       47           64       36\n\n\n\n\n          OIG/99A-13                                                                              Page 5 of 5\n\x0c                                                                           Appendix III\n                              Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n        ADM          Office of Administration\n        BA           Basic Agreement\n        CIO          Chief Information Officer\n        CISSCO       Comprehensive Information Systems Support\n                          Consolidation program\n        CSC          Computer Sciences Corporation\n        CTACS        CISSCO TAC System\n        DCPM         Division of Contracts and Property Management\n        FAR          Federal Acquisition Regulation\n        FEDSIM       Federal Systems Integration and Management Center\n        FY           fiscal year\n        GSA          General Services Administration\n        HR           Office of Human Resources\n        IGCE         Independent Government Cost Estimate\n        IT           information technology\n        IV&V         independent validation and verification\n        MAC          multiple award contract\n        MD           Management Directive\n        NRC          U.S. Nuclear Regulatory Commission\n        OCIO         Office of the Chief Information Officer\n        OIG          Office of the Inspector General\n        QA           quality assurance\n        QA Plan      CISSCO Quality Assurance Plan\n        SDLCM        System Development Life-Cycle Management\n                            Methodology\n        SOW          statement of work\n        TAC          Task Assignment Control\n        TM           Task Manager\n\n\n\n\n        OIG/99A-13                                                           Page 1 of 1\n\x0c                                                                                           Appendix IV\n                                              Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nAGENCY RESPONSE TO DRAFT REPORT\n\n                                         March 6, 2000\n\n\nMEMORANDUM TO:                Thomas J. Barchi\n                              Assistant Inspector General for Audits\n                              Office of the Inspector General\n\n                              [original signed by]\nFROM:                         Stuart Reiter\n                              Acting Chief Information Officer\n\nSUBJECT:                      OCIO COMMENTS ON OIG REVISED DRAFT AUDIT REPORT\n                              \xe2\x80\x9cREVIEW OF NRC\xe2\x80\x99S CONTROLS OVER WORK PERFORMED\n                              UNDER CISSCO\xe2\x80\x9d\n\n\nI am responding to the February 17, 2000, Office of the Inspector General\xe2\x80\x99s revised draft audit\nreport, \xe2\x80\x9cReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO.\xe2\x80\x9d We understand from\nthe report that you have found that the Agency has provided further assurance of the quality of the\nproducts and services delivered through CISSCO through its implementation of a Systems\nDevelopment and Life Cycle Management (SDLCM) methodology and Computer Science\nCorporation\xe2\x80\x99s (CSC) adherence to that methodology. You also note that CSC has generally met\nproposed schedules for product and service delivery and that Agency staff have few concerns in\nthis area. We also understand that you found the following three areas you audited to be\nsatisfactory: (1) contractor charges for preparing estimates, (2) billing for non-CISSCO contractor\nstaff, and (3) accounting for non-dedicated contractor staff for Small Business reporting.\n\nOur responses to your recommendations are as follows:\n\nRecommendation 1:\n\nBe more proactive in ensuring that CSC\xe2\x80\x99s efforts under its Quality Assurance Plan are an efficient\nuse of Agency resources by, for example, performing a review of CSC\xe2\x80\x99s QA efforts on a\nsemiannual basis.\n\nResponse:\n\nOCIO agrees. The first semiannual review will be completed in August, 2000.\n\nRecommendation 2:\n\nWork with the Executive Director for Operations to: (a) assess the effectiveness of assigning\nCISSCO task management responsibilities to such a large number of individuals, (b) identify the\nskills needed to successfully accomplish Task Manager (TM) duties, and (c) ensure that personnel\nassigned as TMs are adequately prepared to carry out these responsibilities.\n\n\n               OIG/99A-13                                                                    Page 1 of 2\n\x0cAppendix IV\nReview of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nThomas J. Barchi                                 -2-\n\nResponse:\n\nOCIO agrees. By the end of FY 2000, OCIO and EDO/ADM staff, working closely with offices\nusing CISSCO services, will complete assessing the number of staff assigned as TMs; will identify\nskills needed to perform TM duties; and will ensure that personnel being assigned TM\nresponsibilities receive appropriate training.\n\nRecommendation 3:\n\nPending issuance of the new Management Directive (MD) covering interagency agreements,\nconduct the annual, formal evaluations of the interagency agreement with GSA/FEDSIM suggested\nby NRC\xe2\x80\x99s MD 11.1.\n\nResponse:\n\nOCIO agrees. The first annual review will be completed in September, 2000.\n\nOEDO has coordinated on the responses to these recommendations.\n\n\n\n\n                OIG/99A-13                                                              Page 2 of 2\n\x0c                                                                         Appendix V\n                           Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nNRC ORGANIZATIONAL CHART\n\n\n\n\n        OIG/99A-13                                                        Page 1 of 1\n\x0c                                                                          Appendix VI\n                             Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nMAJOR CONTRIBUTORS TO THIS REPORT\n\n        William McDowell\n        Team Leader\n\n        Robert Moody\n        Audit Manager\n\n        Catherine Colleli\n        Management Analyst\n\n        Yvette Russell\n        Auditor\n\n\n\n\n        OIG/99A-13                                                          Page 1 of 1\n\x0c                                                                                        Appendix VII\n                                            Review of NRC\xe2\x80\x99s Controls Over Work Performed Under CISSCO\n\n\n\nOFFICE OF THE INSPECTOR GENERAL PRODUCTS\n\n            INVESTIGATIVE\n1.   INVESTIGATIVE REPORT - WHITE COVER\n     An Investigative Report documents pertinent facts of a case and describes available\n     evidence relevant to allegations against individuals, including aspects of an allegation not\n     substantiated. Investigative reports do not recommend disciplinary action against individual\n     employees. Investigative reports are sensitive documents and contain information subject\n     to the Privacy Act restrictions. Reports are given to officials and managers who have a\n     need to know in order to properly determine whether administrative action is warranted.\n     The agency is expected to advise the OIG within 90 days of receiving the investigative\n     report as to what disciplinary or other action has been taken in response to investigative\n     report findings.\n\n2.   EVENT INQUIRY - GREEN COVER\n     The Event Inquiry is an investigative product that documents the examination of events or\n     agency actions that do not focus specifically on individual misconduct. These reports\n     identify institutional weaknesses that led to or allowed a problem to occur. The agency is\n     requested to advise the OIG of managerial initiatives taken in response to issues identified\n     in these reports but tracking its recommendations is not required.\n\n3.   MANAGEMENT IMPLICATIONS REPORT (MIR) - MEMORANDUM\n     MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of\n     problems and to avoid similar issues in the future. Agency tracking of recommendations\n     is not required.\n\n            AUDIT\n\n4.   AUDIT REPORT - BLUE COVER\n     An Audit Report is the documentation of the review, recommendations, and findings\n     resulting from an objective assessment of a program, function, or activity. Audits follow a\n     defined procedure that allows for agency review and comment on draft audit reports. The\n     audit results are also reported in the OIG\'s "Semiannual Report" to the Congress. Tracking\n     of audit report recommendations and agency response is required.\n\n5.   SPECIAL EVALUATION REPORT - BURGUNDY COVER\n     A Special Evaluation Report documents the results of short-term, limited assessments. It\n     provides an initial, quick response to a question or issue, and data to determine whether\n     an in-depth independent audit should be planned. Agency tracking of recommendations\n     is not required.\n\n            REGULATORY\n\n6.   REGULATORY COMMENTARY - BROWN COVER\n     Regulatory Commentary is the review of existing and proposed legislation, regulations, and\n     policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in\n     programs and operations. Commentaries cite the IG Act as authority for the review, state\n     the specific law, regulation or policy examined, pertinent background information\n     considered and identifies OIG concerns, observations, and objections. Significant\n     observations regarding action or inaction by the agency are reported in the OIG Semiannual\n     Report to Congress. Each report indicates whether a response is required.\n\n            OIG/99A-13                                                                     Page 1 of 1\n\x0c'